keystone/bug-1897280-e7065c4368a325ad.yaml at e21ea06613a12057e62c0e8c732fb5cac2507e48 - keystone - OpenDev: Free Software Needs Free Tools

openstack/keystone

Stuart Grace 36d6fc7f8f Accept STS and IAM services from Ceph Obj Gateway

Ceph Object Gateway can use keystone for authenticating user requests
to its S3-compatible API, but recent versions also provide two other
AWS-compatible APIs for managing user access: Security Token Service
(STS) and Identity and Access Management (IAM). These attempt to
authenticate requests with Keystone but always receive 403 Access
Denied because _calculate_signature_v4() in api/s3tokens.py only
accepts "s3" as the service name. This patch accepts any of "s3" or
"sts" or "iam" as valid service names.

Change-Id: I69f16ed55dd9852859307b701a8391ba1e71c042
Closes-Bug: #1897280

2021-11-24 16:09:21 +00:00

8 lines

299 B

YAML

Raw Blame History

 ---
 fixes:
   - |
     [ `Bug 1897230 <https://launchpad.net/bugs/1897280>`_]
     Allows s3 tokens with service types sts and iam to authenticate. This
     is necessary when using assumed role features of Ceph object storage and
     keystone is providing the authentication service for Rados Gateway.